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Linear logics have been shown to be able to embed both rewriting-based approaches and 
process calculi in a single, declarative framework. In this paper we are exploring the 
embedding of double-pushout graph transformations into quantified linear logic, leading 
to a Curry-Howard style isomorphism between graphs / transformations and formulas / 
proof terms. With linear implication representing rules and reachability of graphs, and the 
tensor modelling parallel composition of graphs / transformations, we obtain a language 
able to encode graph transformation systems and their computations as well as reason about 
their properties. 

1 Introduction 

Graphs are among the simplest and most universal models for a variety of systems, not just in 
computer science, but throughout engineering and life sciences. When systems evolve, we are 
generally interested in the way they change, to predict, support, or react to evolution. Graph 
transformation systems (GTS) combine the idea of graphs, as a universal modelling paradigm, 
with a rule-based approach to specify the evolution of systems. The double-pushout approach 
(DPO) [8] is arguably the most mature of the mathematically-founded approaches to graph 
transformation, with a rich theory of concurrency comparable to (and inspired by) those of 
place-transition Petri nets and term rewriting systems. 

The fact that graph transformations are specified at the level of visual rules is very important 
at the intuitive level. However, these specifications are still operational rather than declarative. 
In order to reason about them, and to prove their properties at a realisation-independent 
level, a logics-based representation is desirable. Intuitionistic linear logic (ILL) allows us to 
reason about concurrent processes at a level of abstraction which can vary from statements on 
individual steps to the overall effect of a longer computation. Unlike operational formalisms, 
linear logics are not bound to any particular programming or modelling paradigm and thus 
have a potential for integrating and comparing different such paradigms through embeddings 
[10,1]. 

What makes ILL well applicable to GTS is the handling of resources and the way this allows 
for expressing creation/deletion of graph components. However, expressing the notion of 
pattern matching used in DPO in logic terms is not straightforward — to this purpose we extend 
ILL with a form of resource-bound quantification. In this paper we propose an embedding of 
DPO-GTS in a variant of quantified intuitionistic linear logic with proof terms (QILL). Our 
translation relies on a preliminary algebraic presentation of DPO-GTS in terms of an SHR-style 
formalism [9], which gives us syntactic notions of graph expression and transformation rule. 
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QILL is based on linear A-calculus [2, 5, 14], and is obtained by adding to ILL standard 
universal quantification (V), and a form of resource-bound existential quantification (3), asso- 
ciating a linear resource to each variable — in this respect quite different from the intensional 
quantifiers in [16]. In order to deal with the nominal aspect, we use non-quantifiable constants, 
treated as linear resources, to which individual variables may refer — unlike nominal logic 
[15, 4], where names can be treated as bindable atoms. 

We translate algebraic graph expressions to linear A-calculus, so that component identity is 
represented in the proof-terms, whereas typing information and connectivity is represented in 
the logic formula. We obtain a Curry-Howard style isomorphism between graph expressions 
and a subset of typing derivations, and between graphs and a subset of logic formulas (graph 
formulas) modulo linear equivalence. This can be extended to a mapping from GTS runs into 
typing derivations, and from reachable graphs into logic formulas. We hope that this approach 
will offer the possibility of applying goal-directed proof-methods [12, 7] to the verification of 
well-formedness and reachability properties in GTS. 

2 Basic concepts and intuition 

Here we give a brief introduction of the main concept and the ideas behind the approach we 
are working on, before getting further into details. 

2.1 Hypergraphs and their Transformations 

Graph transformations can be defined on a variety of graph structures, including simple edge 
or node labelled graphs, attributed or typed graphs, etc. In this paper we prefer typed hyper- 
graphs, their n-ary hyperedges to be presented as predicates in the logic. 

A hypergraph (V, E, s) consists of a set V of vertices, a set E of hyperedges and a function 
S : E —> V* assigning each edge a sequence of vertices in V. A morphism of hypergraphs is a 
pair of functions <py : V\ —> V2 and <pE '■ E\ — > £2 that preserve the assignments of nodes, that is, 
(p* v oSi =S 2 o(p E . 

Typed hypergraphs are defined in analogy to typed graphs. Fixing a type hypergraph 
TG - { ( V,&,ax) we establish sets of node types *V and edge types £ as well as defining the 
arity ar(a) of each edge type a e S as a sequence of node types. A TG-typed hypergraph is a 
pair (HG,type) of a hypergraph HG and a morphism type : HG — > TG A TG-typed hypergraph 
morphism / : (HGi,type{) — > (HG2,type2) is a hypergraph morphism / : HG\ —* HG2 such that 
type-i of - type\ . 

I r 

A graph transformation rule is a span of injective hypergraph morphisms s = (L < — K — > R), 
called a rule span. A hypergraph transformation system (GTS) Q = (TG,P,n,Go) consists of a 
type hypergraph TG, a set P of rule names, a function mapping each rule name p to a rule span 
n(p), and an initial TG-typed hypergraph Go- 

p,m 

A direct transformation G => H is given by a double-pushout (DPO) diagram as shown below, 

where (1), (2) are pushouts and top and bottom are rule spans. If we are not interested in the 

v 

match and/or rule of the transformation we will write G => H or just G ==> H. 

For a GTS Q = (TG,P,n,Go), a derivation Go => G„ in Q is a sequence of direct transforma- 
tions Go ==> Gi =h ■ ■ ■ =^> G„ using the rules in Q. The set of all hypergraphs reachable from Go 
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via derivations in Q is denoted by Kg. 

L 




ft 

Intuitively, the left-hand side L contains the structures that must be present for an application 
of the rule, the right-hand side R those that are present afterwards, and the gluing graph K 
specifies the "gluing items", i.e., the objects which are read during application, but are not 
consumed. 

Operationally speaking, the transformation is performed in two steps. First, we delete all 
the elements in G that are in the image of L \ l(K) leading to the left-hand side pushout (1) and 
the intermediate graph D. Then, a copy of L \ l(K) is added to D, leading to the derived graph 
H via the pushout (2). 

It is important to point out that the first step (deletion) is only defined if a built-in application 
condition, the so-called gluing condition, is satisfied by the match m. This condition, which 
characterises the existence of pushout (1) above, is usually presented in two parts. 

Identification condition: Elements of L that are meant to be deleted are not shared with any 
other elements, i.e., for all x € L \ l(K), m(x) = m(y) implies x = y. 

Dangling condition: Nodes that are to be deleted must not be connected to edges in G, unless 
they already occur in L, i.e., for all v £ V G such that v e my(Ly), if there exists eeE G such 
that s(e) = v\ ...v...v n , then e e niE(LE). 

The first condition guarantees two intuitively separate properties of the approach: First, 
nodes and edges that are deleted by the rule are treated as resources, i.e., m is injective on 
L \ l(K). Second, there must not be conflicts between deletion and preservation, i.e., m(L \ l(K)) 
and m(l(K) are disjoint. 

The second condition ensures that after the deletion of nodes, the remaining structure is 
still a graph and does not contain edges short of a node. It is the first condition which makes 
linear logic so attractive for graph transformation. Crucially, it is also reflected in the notion of 
concurrency of the approach, where items that are deleted cannot be shared between concurrent 
transformations. 

There is a second, more declarative interpretation of the DPO diagram as defining a rewrite 

V 

relation over graphs. Two graphs G,H are in this relation G ==> H iff there exists a morphism 
d : K — > D from the interface graph of the rule such that G is the pushout object of square (1) 
and H that of square (2) in the diagram above. In our algebraic presentation we will adopt this 
more declarative view. 

As terms are often considered up to renaming of variables, it is common to abstract from 
the identity of nodes and hyperedges considering hypergraphs up to isomorphism. However, 
in order to be able to compose graphs by gluing them along common nodes, these have to be 
identifiable. Such potential gluing points are therefore kept as the interface of a hypergraph, a 
set of nodes I embedded into HG by a morphism HG. 

An abstract hypergraph i : I — > [HG] is then given by the isomorphism class {?' : I — > HG' \ 
3 isomorphism ; : HG — > HG' such that joi = i'}. 

If we restrict ourselves to rules with interfaces that are discrete (i.e., containing only nodes, 
but no edges.), a rule can be represented as a pair of hypergraphs with a shared interface I, 
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i.e., ALL ==> R, such that the set of nodes I is a subgraph of both L,R. This restriction does not 
affect expressivity in describing individual transformations because edges can be deleted and 
recreated, but it reduces the level concurrency. In particular, concurrent transformation steps 
can no longer share edges because only items that are preserved by both rules can be accessed 
concurrently. 

2.2 Linear logic 

ILL is a resource-conscious logic that can be obtained from intuitionistic logic, in terms of 
sequent calculus, by restricting the application of standard structural rules weakening and con- 
traction. ILL formulas can be interpreted as partial states and express transitions in terms of 
consequence relation [6]. Tensor product (<8>) can be used to represent parallel composition, 
additive conjunction (&) to represent non-deterministic choice, and linear implication (-o) to 
express reachability. Unlimited resources can be represented via !. 

ILL has an algebraic interpretation based on quantales and a categorical one based on 
symmetric monoidal closed categories [2], it has interpretations into Petri-nets, and for its V- 
free fragment, it has a comparatively natural Kripke-style semantics based on a ternary relation 
[11] in common with relevant logics. ILL can be extended with quantifiers. It can also be 
enriched with proof terms, thus obtaining linear A-calculus [2, 14], where linear A-abstraction 
and linear application require that the abstraction/application term is used only once. We are 
going to rely on an operational semantics in terms of natural deduction rules, following [14]. 

Proofs can be formalised in terms of natural deduction, based on introduction/elimination 
rules closely related to the constructor/destructor duality in recursive datatypes [17]. Proof 
normalisation guarantees modularity, meaning that detours in proofs can be avoided, i.e. one 
does not need to introduce a constructor thereafter to eliminate it. Proof normalisation shows 
that introducing a constructor brings nothing more than what it is taken away by eliminating 
it. 

2.3 GTS in QILL 

We are going to give a representation of graphs and transformations in terms of provable 
sequents. Graphs can be represented by formulas of form 3x : A.L\ (x~i) ® . . . <8>L;t (xu) where x : A 
is a sequence x\ : A\, . . . ,Xj : Aj of typed variables and X\, ...,x^Qx. A DPO rule (we consider 
rules with interfaces made only of nodes) can be represented as Vx : A.a -° jS where a,jS are 
graph expressions. Given rules 

Pi = Vxi.ai -ojSi, P fc = Vxk-Uk -° h 

a sequent Gq,P\,...,P] c II- G\ can express that graph G\ is reachable from the initial graph 
Go by applying them, abstracting away from the application order, each occurrence resulting 
into a transformation step. A sequent Go, \P\,. . ., \Pk ^ G\ can express that G\ is reachable from 
Go by the same rules, regardless of whether or how many times they must be applied. The 
parallel applicability of rules Vx\.ct\ -° jSi, Vx2.«2 -° ^2 can be represented as applicability of 
V3ci,3c2.ai®a2 -° j5i®/?2- 

Logic formulas can be used also to specify graphs according to their properties — such 
as matching certain patterns. Additive conjunction (&) can then be used to express choice, 
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Figure 1: Transformation example 

and additive disjunction (V) to express non-deterministic outcome — as from quantale-based 
interpretations of ILL [1]. The formula G1&G2 represents a graph that can match two alternative 
patterns — hence a potential situation of conflict in rule application. The formula Gi V G2 
represents a graph that may have been obtained in two different ways — hence a situation of 
non-determinism. 

Negative constraints can be expressed using the intuitionistic-style negation ->. The formula 
-■a expresses the fact that a must never be reached — in the sense that reaching it implies 
an error. In a weaker sense, the system satisfies the constraint if a does not follow from the 
specification. To make an example (Fig. 1), given 

a =df 3xyz : A.(b(x,y)®b(x,z)) V (b(x,y)<S>b(z,x)) V (b(y,x)<S>b(z,x)) 

the formula -<a says that in the system there must be no element of type A which is 
bound with two distinct ones (graphically represented in the upper part of the picture). The 
transformation rule in fig. 1 can be represented with Vxy : A.l -o b(x,y); the initial graph with 
Bxyz : A.b(z,x). These two formulas specify our system. The graph transformation determined 
by the application of the rule to the initial graph can be expressed in terms of logic consequence 
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as 

p -df 3xyz : A. b(z,x),Vx\X2 : A. 1 -o b(x\,X2) ll- 3xyz : A. b(z,x)®b(x,y) 

When the constraint is added to the premises, a contradiction follows — as a already 
follows from the specification. 

3 An algebraic presentation of DPO transformation of hypergraphs 

Let V be an infinite set of nodes n\,n2, ■ ■ ■ typed in *V, and E an infinite set of edges e\,e2, . . . typed 
in &, as before. In general, we assume typing to be implicit — each element x associated to its 
type by type(x). Making type explicit, we use A,B, . . . for node types. 

3.1 Graph expressions 

We introduce a notion of constituent 

C= e(ni,...,n k ) | Nil | Q || C 2 \vn.C 

where e(n\,...,n k ) is an edge component with type(e) - L e (Ai,...,Ai) when type(n{) - 
A\, . . . ,type(ji^) - A k , where Nil is the empty graph and C\ || C2 is the parallel composition of 
components C\ and C2, and where vn.C is obtained by restricting node name n in C. 

We say that a constituent is normal whenever it has form vn.G, where n is a (possibly empty) 
sequence of node names, and G is either Nil or else it does not contain any occurrence of Nil. 

Given a constituent C, the ground components of C are the nodes and the edge components 
that occur in C. We say that fn(C) are the free nodes (unrestricted), bn(C) are the bound nodes 
(restricted), and the set of all nodes is n(C) fn(C) U bn(C). We denote by cn(C) the connected 
nodes of C, i.e. those which occur in ground components of C. We say that z'bn(C) =^ bn(C)/cn(C) 
are the isolated bound nodes of C. 

A graph expression is a pair E - Xl=C where XcV are nodes and C is a constituent such that 
fn(C)<zX. We call X the interface of E, or the free nodes of E. The nodes of E are n(E) =^XUbn(C). 
The isolated free nodes are ifn(E) - d f X/fn(C). The isolated nodes of E are i(E) - d f ifn(E) U ibn(C). 
In general, X = fn(E) = d t ifn(E) U/n(C), and n(E) = i(E) U cn(C). We can say that graph expression 
E is ground whenever bn(C) = 0, that E is weakly closed whenever fn(C) - 0, that E is closed 
whenever X = 0, that E is normal whenever C is normal. For simplicity, we are going to identify 
closed graph expressions with their constituents. 

Let Ei — X\tC\,E2 — X2EC2 be graph expressions in the following. Structural congruence 
between E\ and E2, written E\ = E2, holds iff Xi = X2 and C\ = C2, where = is defined over 
constituents according to the following axioms. 

• The parallel operator || is associative and commutative, with Nil as neutral element. 

• vn. C = vm. C[m/n], if m does not occur free in C. 
vn.vm.C = vm.vn.C 

vn.(C || C') = C || (vn.C) if n does not occur free in C 

We do not require vn.C = C for n not occurring free in C (we can also say that we do not 
require v to satisfy ^-equivalence). This allows us to keep isolated nodes into account. 
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For E - X l= C, we denote by ec(E) the edge components of C, and by gc(E) = n(E) U ec(E) the 
set of the ground components of E. It is not difficult to see the following, with respect to E\ and 
E 2 . 

Obs. 1 £i = Ei if and only if fn(E\) = fn^E-i) and there is a renaming a of bn(E\) such that 
gc(Ei)ff = gc(E 2 ). 

One can also see that for each graph expression there is a congruent normal one, and that 
congruent normal expressions are the same up to reordering of prefix elements and ground 
components. 

We say that E\ is a heating of E2 (conversely, that E2 is a cooling of Ei), and we write E\ « E2, 
whenever there is a graph expression E3 = X3 1= vn.C\ such that X3 = Xil\n) (for n possibly 
empty sequence of node names) and E3 = E2 — i.e. when E2 can be obtained from E\ modulo 
congruence by restricting node names. Therefore, intuitively, E\ is one of the smallest patterns 
E2 can match with, and conversely, E2 is one of the largest graphs that can match with E\. This 
essentially means that, although not congruent, as operationally different, E\ and E2 share the 
same structure. 

An abstract hypergraph in the sense of section 2.1 is represented by an equivalence class of 
graph expressions up to structural congruence. Intuitively, the free names correspond to nodes 
in the interface while bound names represent internal nodes. 

We will often refer to these equivalence classes as graphs, while reserving the term hyper- 
graph for the real thing. We say that a graph expression represents a graph (is a representative 
of the graph) when it belongs to the equivalence class. A graph is (weakly) closed whenever it 
is represented by a (weakly) closed graph expression. Clearly, every closed graph has a closed 
normal representative. 

It is not difficult to see that a graph can also be represented as the class of all the heatings 
of its representatives — leading to a semantics based on partial orders rather than equivalence 
relations. We will refer to heatings of graph expressions that represent subgraphs of a given 
expression E as heating fragments of E (conversely, their cooling compound). 

3.2 Transformation rules 

In order to represent transformation rules we need to deal with the matching of free nodes. To 
this purpose we introduce variables x, y, . . . ranging over nodes, substitution of nodes for free 
variables (E[m/x], where m does not contain occurrences that become bound), variable binding 
(by A) and application. 

For E\,E2 closed graph expression, E\ ==> E2 denotes the transformation that goes from E\ 
to E2. Given graph expressions E\ - KtE and E2 = KtR sharing the same interface and no free 

/ r 

isolated nodes, we represent the transformation rule n(p) = L < — K — > R by the rule expression 
— v — 

Ax.E => R, where x - x\,...,x^ is a sequence of variables associated to the node names in K. 
Essentially, we represent rules by replacing each free node with a bound variable. 

Given a closed graph representative G, a match for n(p) in G (as pictured in section 2.1) 
is determined by a graph homomorphism d : K — > n(G) which determines the left hand-side 
morphisms m : L — > G, with components m v : bn(L) — > n(G) and m e : ec(E) — > ec(G), as well as right 
hand-side morphism m* :R^> H, with components m* : bn(R) —> n(H) and m* : ec(R) — » ec(H). 

The dangling edge condition means that if n is in the domain of m v and occurs in component 
c, then c must be in the domain of m e . The identification condition requires that m v and m e are 
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injective, and that the images of d and m v are disjoint. The injectivity of m* and m* follows, as 
well as the disjointness of the images of d and m* v . 

The injective components can be represented in terms of inclusion, whereas the in- 
terface morphism d can be represented in terms of substitution, i.e. we represent d by 

[n x] = \x\ln\, . ..x k /n k ], where n - {n\, . . .,n k } c n(G). The following operational rule (applica- 
tion schema) represents the application of the transformation rule p with match m (determined 
by d) 



n(p) = Ax.LMR G = vn.L[nJ-x\ \\C H = vn.R[n J-x\\\C 

G^H 



(p,m) 



where G is a closed graph expression — and therefore H is, too. 

Obs. 2 The application schema satisfies the DPO conditions. 

Let U - L[n x], R' = R[n x]. The definition and the injectivity of component 
morphisms m v ,m e ,m* v ,m* e follows from the inclusion of V and R' as subexpressions in 
refactorings of G and H, respectively. The disjointness condition holds by the fact that the 
variables in x are substituted with nodes that are free in U and R', and therefore cannot 
be identified with bound nodes in either constituent. The dangling edge condition holds 
by the fact that, for each node n € bn(U), edge components depending on n can only be in 
cr(/.'). 



4 Linear lambda-calculus 

We rely on a constructive presentation of intuitionistic linear logic, based on the labelling of 
logic formulas, in a way that gives rise to a form of A-calculus. Linear A-calculus [1, 2, 5, 14] 
has been introduced in association with intuitionistic linear logic and with the notion of linear 
functions, by interpreting linearity as consumption of arguments. Linear implication (-o) can 
be used to type linear functions, as much as intuitionistic implication (— >) is used to type generic 
ones. 

We rely on a two-entry sequent presentation of linear logic [13, 14], and we follow the con- 
vention to use different sorts of variable identifiers for linear resources (u,v,. . .) and non-linear 
ones (p, (?,...). We denote linear abstraction by A (with " for linear application), to distinguish it 
from standard one (A) — though the difference between the two can actually be determined by 
whether the abstraction variable is linear. For the purpose of the translation, we find it further 
useful to distinguish individual variables (x, y, . . ., non-linear), and node variables (m,n, . . ., lin- 
ear). Whether A is typed by V depends on whether the abstraction is over an individual variable 
that occurs in the type. We use let expressions to abstract over patterns. We assume standard 
forms of a-renaming, f3- and ^-congruence for A and A (with linearity check for the latter). 

N :: a is a typing expression (typed term) where N is a term (the label) and a is a logic formula 
(the type). Two-entry sequents have form T;A h N :: a, where A is a multiset of typed linear 
variables (linear context), with An c A a multiset of typed node variables, and T is a multisets 
of typed non-linear variables (non-linear context), with T/ c T a multiset of typed individual 
variables. We use sequence notation — modulo permutation and associativity, and a dot (•) for 
the empty multiset. 
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A natural deduction systems is given by a set of axioms and a set of primitive inference rules, 
each associated as either introduction or elimination operational rule to a logical operator. A 
sequent is provable, and represents a typing derivation, when it can be derived from the axioms 
by means of inference rules. We say that a rule 

^■■■^ii 
E 

is derivable whenever it can be proved that, if Ei,...,E n are provable sequents, then also 
E is. When we "forget" all about labels we are left with logic formulas and the consequence 
relation — then we use ih instead of h 

4.1 A system with restriction 

We consider a system with standard propositional intuitionistic linear operators — °,<8>,1, T, _L,— > 
, V, A, ! and standard universal quantifier V. Each of these can be associated to a linear A-calculus 
operator [1, 14]. We also allow for syntactical type equality (=), stronger than linear equivalence 
(=, which can be defined in terms of -o and A). We assume standard rules for =. However, we 
only need to prove instances of type equality arising from substitution as side conditions, and 
we do not actually use the proof-term — therefore for simplicity we associate = to an axiom 
and a dummy term nil=. 

We extend this system by adding resource-bound existential quantification (3) and an aux- 
iliary modifier to express reference ( [). The extension is meant to answer two issues. First — 
nodes need to be treated linearly from the point of view of transformation, though their names 
occur non-linearly in graph expressions. Second — we need to associate a type to name restric- 
tion in the context of graph expressions. The resource-boundedness of 3 makes it possible to 
treat nodes linearly, whereas the freshness conditions on 3 and [ make it possible to interpret 
operationally 3 as restriction type. 

The modifier [ is meant to express reference of an individual variable (a node name) to a 
linear one (a node) as part of the node type. The typed linear variable n :: a [x is referred to by 
the typed non-linear one x :: a — we will also say that n is a reference variable, and that x is the 
referring variable in a [x. We require, as operational constraint, that each individual variable 
may occur as referring variable no more than once in the linear context of a sequent (uniqueness 
constraint). This constraint entails that the reference relation between reference variables and 
individual free variables is one-to-one, and also that reference variables can only be linear. 

We use i to denote the restriction-like operator associated with 3, that can be defined as 

i(n\y).M :: 3x : a.jS -df y®n®M 

where n:\a\y and therefore y refers to n. The definition of i is essentially based on that of 
proof-and-witness pair associated with the interpretation of existential quantifier, in standard 
A-calculus [17] as well as in its linear version [5, 14]. 

The inference rules guarantee that there is a one-to-one relation between referring variables 
in the context of a sequent and variables that may be bound by 3 (naming property), under the 
assumption that 3 does not occur in the axioms. The property is preserved by the 3 elimination 
rule — similar to the standard existential quantifier rule, requiring that the instantiated term 
(a referring variable) as well as the associated reference are fresh variables. We force the 
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naming property to be preserved by the 3 introduction rule, by requiring that the new bound 
variable replaces all the occurrences of the instantiated term in the consequence of the derivation 
(freshness condition of 3 introduction). The naming property follows for any provable sequent, 
under the given assumption, by induction over proofs. Given the uniqueness constraint, it also 
follows that there is a one-to-one relation between reference variables in the context of a sequent 
and variables that may be bound by 3 (linear naming property). 

The freshness condition of 31 is expressed formally, in terms of substitution and syntactical 
type equality (T,x :: jS; • l- nil = :: a#(x,y)). In fact, as we define a#(x,y) =&t (a[y / x])[x / y] - a, the 
typed term r\\\=a#(x,y) can be used to express that y does not occur free in 3x.a. However, this is 
essentially just the formalisation of a side condition for the rule. From the freshness condition it 
also follows that the formula 3x.a obtained by 3 introduction is determined, modulo renaming 
of bound variables, by the instance a[y/x] in the hypothesis. 

The linear naming property ensures that 3 can be used to bind free variables, hiding them, 
though without allowing any derivation of instantiations that can alter irreversibly the structure 
of the formula, and that therefore these variables can be treated as names, preserved through 
inference — and moreover, that these names are associated with linear resources. In chemical 
terms, with reference to section 3.1, borrowing a suggestion from [3], 3 allows us to understand 
derivation as cooling process. 

A normal proof is intuitively speaking one in which there are no detours — no operators that 
are introduced to be thereafter eliminated. A system is normalising whenever every provable 
sequent has a normal proof. All provable sequents in ILL have normal proofs [1] and this result 
canbe extended to the logic with standard quantifier (see [14], though an unpublished). A proof 
that our system is complete with respect to normal proofs goes beyond the scope of the present 
paper. However, it is informally arguable that completeness holds essentially, by translation 
to a sequent calculus system, for which it is comparatively easier to see that the fragment 
<8>,-o,l, V,3 enjoys the cut elimination property, closely associated with proof normalisation. 

4.2 Quantification and DPO properties 

We have introduced resource-bound quantification in order to express more easily the injective 
character of the pattern-matching morphism components associated with deletion and creation 
of graph elements. It is not difficult to see that the following, closely associated properties hold 
— in clear contrast with what happens with standard existential quantification. 

Obs. 3 (1) ¥ (3x : jS. a(x,xj) -o 3xy : jS. a(x,y) 

the resource associated to x cannot suffice for x and y. 

(2) F Vx : f5. f5 \,x(8)(x(x,x) -o 3y : f}.a(y,x) 

y and x should be instantiated with the same term — but this is prevented by the freshness 
condition in 3 introduction 

(3) ¥ (3yx : jS. a\(x)®ot2(x)) -o (3x : f}.ai(x))®3x : jS.a^M 

the two bound variables in the consequence require distinct resources and refer to distinct 
occurrences 

In particular, (1) and (2) can be regarded as a properties associated with the identification 
condition, whereas (3) has a more general structure-preserving character. 

The following properties show a relationship between linear equivalence and the congruence 
relation defined in section 3.1. 



P. Torrini & R. Heckel 



109 



Obs. 4 3 satisfies properties of a-renaming, exchange and distribution over <g>, i.e. 

ih (3x:a.p(x))±(3y:a.p(y)) 
ih (3xy : a.y) = (3yx.y) 

ih (3x : a.f3 <8> y(x)) = (f3 ® 3x : a.y(x)) (x not in a) 

In general 3 does not satisfy logical ^-equivalence, i.e. it cannot be proved that a is equivalent 
to 3x. a when x does not occur free in a (neither sense of linear implication holds). This is useful 
though, in order to represent graphs with isolated nodes. Note that, in order to match the 
notion of congruence introduced for graph expressions at the term level, term congruence in 
the /flmbdfl-calculus should be extended with a-renaming, exchange, and distribution over ® 
for £. However this is not needed here, insofar as we can reason about congruence at the type 
level, in terms of linear equivalence. 

4.3 Proof systems (QILL) 

a - A | L(Ni,...,N n ) 1 1 1 ai<Zxx2 \ a\ -o a 2 I T | J. | «i&a 2 I « — » jS I oc V jS | Vx : jS.a | 3x : jS.a | a |,x | 
a - a 

M = x | p | n | u | nil | N x ®N 2 | £(Ni|N 2 ).N 3 | Ax.N | Ap.N | Au.N | N^N 2 I N X N 2 | error" M | <) | 
<Ni,N 2 ) | fst N | snd N | case N of Pi.N i; P 2 .N 2 1 inr a N | inl a N | nil = 

let P = Ni in N 2 (AP.N 2 )Ni where P is a variable pattern 
a=f3 =df (a -o -o a) -.a = d j a — o _L a#(x,y) - d f (a[y / x])[x / y] = a 

T;u v.avuv.a ^ T,p :: a; • h p :: a 

MM r-.iH £ <? 



T,x :: a;n :: a[x \- n :: a[x Y; • h id tt :: a - a 

r;AihM::a r;A 2 hN::jS T; A a h M :: aOjS r;A 2 ,w :: a,c :: ft h N :: y 
T;A lf A 2 i-M®N::a®p ® J r;A 1/ A 2 h let u = M in N::y ® £ 

r;A,M::al-M::^ ^_ r;Ai h M :: a -o |S T;A 2 I-N::a 
r;AhAw:a.M::a^jg ~° r ; Ai,A 2 h M"N :: ° £ 

T;AhM::l T;A'\-N::a 

r;- h nil :: 1 11 T;A,A' h let nil =M in N :: a 1£ 

T;Al-M::a r;AhN::|3 r;AhM::aV|3 r; A',w :: a h Ni :: y A' ,v :: jS I- N 2 :: y 
r;Ah <M,N>::a&j3 &J r; A, A' h case M of inl u. Ni; inr i?. N 2 :: y V£ 

r;A h M :: a&cfi T;A\- M::a&jS 

r;AhfstM::a &£1 r ; AhsndM::j3 &£2 
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r;Ah mfMr.aVB T;A h inr M ::aVB 
VH VI2 

r;AhM::l 

Tl w A r, . n w.. .. 



T;Al-<)::T r; A, A' h error" M :: a 



r;-hM::a r ; AihM::!a T,p :: a; A 2 h N :: g 
r;-h!M::!a J I; Ai, A 2 h let p = M in N :: B 



T,p::a;AhM-p f;Ah M:: a -> B T;-\-N::a 



T;A\- Ap.Mr.a^ B T;AhMN::B 



E 



T,x::B;A\-M::a T;A h M :: Vx : 8. a T;-l-N::jS 

VI a . , » r ?rn-, VE 



r;A h Ax. M::Vx: B. a T;A\- MN :: a[N/x] 

Resource-bound quantifier 

T ; A \- M:\a\ylx\ I; A' h n :: B [y T,x :: jS;- h nil= :: a#(x r y) 

T;A,A'\-i(n\y).M::3x:p.a 31 

r;Ai \-M::3x:B. a T,x :: B; A 2 ,n :: B \x,v :: a I- N :: y 

r; Ai, A 2 l- let e(n|x).t; = M in N :: y 3E 

5 Linear encoding of GTS 

We are going to define a translation of graph expressions to typing derivations. Intuitively the 
translation is based on a quite straightforward mapping of graph expressions into proof terms, 
with Nil mapped to nil, || to <8>, and v to i. However, we need to distinguish nodes as ground 
components (nodes) from node occurrences in constituents (node names). Given E = X 1= C, we 
can translate a node n e X with type(ri) = A as n :: A [x (typed node), and the occurrences of n in 
C as x„ :: A, where A is an unbounded resource type (therefore equivalent to \A). 

Semantically it is more convenient to take edge components as primitive, rather than edges. 
In principle, we can introduce a notion of edge interface as linear resource, e :: Vxi : A\,...,Xi : 
Afc.L e (xi,...Xjt), translate an edge type L e (A\,...,A^) as Vxi : A\,...,x^ : Ai.L e (x\,...x^), and a 
component e(n\,...,ni) as c e - e x\ ...x^. For all its functional clarity, however, the notion of 
edge interface is hard to place in GTS. Therefore, we prefer to introduce the notion c e :: L(xi, ...x n ) 
of typed edge component as primitive, which can be translation of the original component under 
the premises X\ :: A\,...x^ :: A%. Following this approach, component connectivity does not 
result from the term, rather from the type. 

We call graph formulas those in the 1,<8>,3, [ fragment of the logic containing only primitive 
graph types (node and edge types). We say that a graph formula y is in normal form whenever 
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y = 3(x : A), a, where either a - 1 or a - L\(xi) <8> . . .'SiL^x^), with x :: A a sequence of typed 
variables. The formula is closed if x\ c x for each 1 < i < k. A graph context is a multiset of typed 
nodes and typed edge components. 

A graph derivation is a valid sequent T; A h N :: y, where 7 is a graph formula, A is a graph 
context and T contains only individual variables. A graph derivation uses only axioms and the 
introduction rules II, <8>L 31 — therefore it is trivially normal. 

We can now define formally the translation as function O from graph expressions to typing 
derivations. We use the notation AxiomName [Y; ; form] to abbreviate axiom instances and 
deduction rules with empty hypothesis (by giving the non-linear context and the principal 
formula, if there is one), and RuleName [hyp\;; ...;; hyp„] to abbreviate instances of inference 
rules (by giving the hypothesis). We also define MainType(Y; A h N :: a) = a, MainTerm(T;A h N :: 
a) - N, and LinearContext(T;A h N :: a) - A as auxiliary functions. 

Constituents 

lei{m,...,ri):U{A m ,...,A n )l = df Id [Y;; c t ::Li(x mr ...,x n )] 

INN]] = df II [Y] 

IMWNJ = df ®J[[MI;; [N]] 

Ivn-.AM =df 3J[[N];; 

NId [Y;; n :: A[x n \,; 

Y,y::A;- h nil = :: MainType{\NY)[ylx n \#{y,x n ) ] 

Graph interfaces 

In: A] = df NId[Y;;n::Alx„] 

Un:A}J = df ln:Al 

[{«i:Ai}UXl = df ®I[I{ni:Ai}I;; |[X]] 

Graph expressions 

IX * d = df OI [IXIj;; EC]] 
5.1 Properties of the translation 

We first consider the following induced mapping, taking graph expressions into QILL formulas 
(D T ), an d into multisets of typed variables associated to ground components (0 C )- I n fact, let 
[[£] r = MainTypelEJ and IEJ C = UnearContext\E\. 

Obs. 5 1) T results in an extension of the original typing of nodes and edges, based on the 
association of % with ||, 1 with Nil, and 3 with v, where the free connected nodes are 
represented as free variables occurring in the consequence (which, by definition of 0/ ar e 
all referring), whereas other free referring variables represent free isolated nodes. 
2) |[£]] c = A determines a bijection between A and gc(E) — dependant types contain 
the information about basic graph types and component dependencies, whereas terms 
preserve component identity. 
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Prop. 1 There is an isomorphism between graph expressions and graph derivations. 

For each E graph expression, [[E] = T; A h N : y defines a graph derivation. By construction, 
N and T are as required, [£] T gives a graph formula, [E] c a graph context. Vice-versa, 
for each graph derivation 5 - T;A h N : y, one can define a graph expression E such that 
RE] = 6, relying on Obs. 5. 

Prop. 2 There is an isomorphism between graphs and graph formulas modulo linear equiva- 
lence. 

Given graph expressions M,N, if M = N then ih [M]] T =[[N]] T . This follows from the 
monoidal characterisation of <8> and Obs. 4. 

On the other hand, assume 71,72 are graph formulas and Ih 71=72- Then, for each graph 
expressions Ei,E2 such that 71 = [Ei] T , 72 = [[E2] T / it holds Ei = E2. By property of 
linear equivalence, there is a graph derivation d\ - T;A h N\ ::y\ iff there is a graph 
derivation 62 = T; A h N2 72- By Prop. 1, there are graph expressions Ei,E2 such that 
[Ei]] = 61, [E2] = §2- From Obs. 5(2), gc(E\) = gc(Ei). Since 71 and 72 are equivalent they 
share the same free variables, and so do Ei and E2, by Obs. 5(1). Hence follows Ei = E2, 
by Obs. 1. 

The propositions above state that there is a Curry-Howard isomorphism between graph 
expressions and graph derivations on one side, and between graphs and QILL formulas modulo 
equivalence on the other. They also state that our translation of graph expressions is adequate 
with respect to their congruence. 

By an argument similar to that of Prop. 2 and the definition of heating (section 3.1), we can 
prove also the following. 

Obs. 6 Given graph expressions M,N, the sequent ih [M]] T -o [N]] T is provable if and only if M 
is a heating of N. 

This observation has wider semantical consequences, by noting that all the inference rules 
involved in graph derivation, if read backward, lead to graph derivations that represent heating 
fragments of the graph expression represented by the conclusion. 

5.2 DPO transformations 

We can now shift from congruence of graph expressions to reachability in a GTS, extending the 
translation to deal with graph transformation. We consider transformation up to isomorphism, 
and therefore we start from the type level, relying on Prop. 2 — i.e. we define directly the map 
T from graph expressions to QILL formulas. We do this by associating transformation to linear 
implication, and the binding of node variables in rule interfaces to universal quantification. 

IM^Nf = d flMi T ^>lNl T 
lAx :A.Nf = df Vx:A.lNf 

Transformation rules are meant to be primitive in a GTS, so they can be introduced as 
premises (as with nodes and edge components). They have to be regarded as unbounded 
resources, in order to account for their potentially unlimited applicability, and moreover they 
must be associated with closed formulas (as there are neither free nodes nor free variables 
in transformation rule expressions). Reasoning at an abstract level, it seems appropriate to 
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forget about proof terms and consider only the types of the formulas associated with the graph 
expressions in the algebraic definition of the rule. 

The translation of a rule nip) = Ax.L => R can therefore be defined as follows 

Mp)I = d f Fid [I;; p :: VxTA^LF -o |[R] T ] 

At an intuitive level, in terms of natural deduction and of a proof built from the bottom, 
the application of rule p to a graph G involves deriving the matching subgraph U from gc(U) C 
gc(E). The application of p to L' can be understood as an instantiation of the rule interface, 
corresponding to V elimination proof steps; followed by an application of the instantiated rule 
to U, corresponding to a -o elimination step, and resulting into a conclusion that represents R'; 
followed by a graph derivation of H from premises that represent gc(R') U (gc(E)/ gc(L')). 

From a more goal-oriented perspective, assuming normalisation, the application of p to G 
can be seen as a process leading to a heating fragment of G, which in turn is a heating of rule 
match. 

More formally, the application of p to a closed graph formula «g = 3y : A y .f5c determined by 
morphism m relies on the fact that the following application schema is a derivable rule (proof 
along the lines of the above intuitive explanations) 

Y; - ih ac=ttG' a G - 3z : A z .aj\z : A z ^— x : A x ] <8>a c 
I> ih a H =a H ' a H > = 3z : A z .a R [z : A z J- x : A x ] <8> a c 
T; Vx : A x .a L -o a R ih a G -° a H 
where the interface morphism d associated with m is represented by the multiple substitution 

[z : A z <— x : A x ], with z : A z c y : A y . 

Along these lines, it is possible to see that a hypergraph transformation system Q - 
(TG,P,n,Go) can be translated to QILL, and that it is possible to obtain an adequacy result 
for QILL with respect to reachability in GTS 

Prop. 3 The translation is complete and correct with respect to reachability in DPO-GTS (re- 
stricting to rules with only nodes in the interface). 

For the completeness side — given that we can represent every graph, it is not difficult to 
see that we can also simulate every rule application in QILL. 

For the correctness side, we need to show that every provable sequent expressing a trans- 
formation from a graph formula to another one by means of transformation rule formulas, 
can be simulated in the algebraic formalism. We can focus on a single transformation rule 
application as inductive step case, i.e. considering a sequent r;R,Gi ih G2 where Gi,G2 are 
graph formulas and R a transformation rule formula. Assuming that we have a normal 
proof, we can argue that each backward step gives heating fragments of G2 (introduction 
rules) and of G\ (elimination rules) — therefore preserving structure. It is a matter of 
routine — induction on number of variables and graph nodes — to show that the instanti- 
ations of R correspond, up to isomorphism, to the matches of the corresponding algebraic 
tranformation rule R' . Therefore the sequent is provable only if the algebraic graph G' 2 
can be reached from the algebraic graph G' x by application of R' . 

The following may give an idea of the level of expressiveness. 
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Obs. 7 Given a linear logic context Ao = [a\a - [s]] T ,s e gc(Go)] (types of the ground components 
of Go), a multiset Y including the referring typed variables for Ao, and a multiset Yp — 
[pip = ^(p)l T ,P e P] (types of the transformation rules), for every graph G reachable in 
the system 

r,r P ;A ih [G] T 

Given a multiset R of transformations in Q, let Ar = [t|t = |[f]] T , teR]. Then, for each graph 
G which is reachable from Go by executing the transformations in R, in some order 

r; Ao, Ar ih IGf 

If G is reachable by executing at least the transformations in R, in some order 

r,r P ;A ,AR ih IGf 

A further topic that we would like to investigate is concurrency. The expressiveness of 
linear logic makes it comparatively natural to represent parallel application of rules, choice and 
indeterminism, and therefore to compare this embedding with classic graph transformation 
approaches [8]. 

6 Conclusion 

We have defined a translation of DPO GTS, formulated in algebraic terms, with a restriction 
to rules that have only nodes in the interface, into a quantified version of ILL, based on linear 
A-calculus, extended with a resource-bound existential quantifier that we have used to type 
name restriction in graph expressions. We have proved informally that the translation is sound 
and complete with respect to graph expressions and adequate with respect to reachability in 
GTS. We believe that a line of research that relates models based on graph transformation and 
proof theory along lines such as those of the Chemical Abstract Machine [3] is probably worth 
further investigation. Related work on the translation of multiset rewriting into ILL has been 
discussed for example in [6]. We would like to mechanise the logic on a theorem prover, and 
we are considering Isabelle, for which there is already a theory of ILL [7]. 
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